In this video, Peter Oehlert, Senior Security Consultant, iSEC Partners, explains how the Implementation phase of
the Microsoft SDL applies to building Windows Azure application. He starts first by defining both the similarities and key
differences between implementation of on-premises solutions and Windows Azure-based applications. Following the theme of
Peter’s previous theory video, Peter dives into specific tools that can be of use to secure implementation of applications
on Windows Azure, including Checkmarx, Coverity and Veracode. The conversation then moves to properly implementing defenses
against usual web threats (SQL injection, XSS, authentication, etc.) in the Windows Azure web applications.

Take a closer look at this month's Microsoft Security Bulletins in this video taped from a live broadcast September
11th. Hosts Dustin Childs and Jonathan Ness provide details that should prove helpful for deployment of these important updates.

In this video, Peter Oehlert, Senior Security Consultant, iSEC Partners, explains how the Implementation phase of the Microsoft
SDL applies to building Windows Azure application. He starts first by defining both the similarities and key differences
between implementation of on-premises solutions and Windows Azure-based applications. Following the theme of Peter’s
previous theory video, Peter dives into specific tools that can be of use to secure implementation of applications on
Windows Azure, including Checkmarx, Coverity and Veracode. The conversation then moves to properly implementing defenses
against usual web threats (SQL injection, XSS, authentication, etc.) in the Windows Azure web applications.

In this video, Jason Glassberg, Co-Founder, Casaba, speaks about the Release phase of the Microsoft SDL and how to
apply the Microsoft SDL release phase practices to applications built on top of Windows Azure. Jason explains that the Microsoft
SDL can apply to any cloud-based deployment, but focuses on Windows Azure, explaining that the steps are very similar to
a typical on-premises application (File an Incident Response Plan, Perform a Final Security Review and Release Archive).
In Azure, the importance of understanding of the platform is doubly-important in preparing an Incident Response Plan because
rollback and stopping of deployment is vastly simpler than in on-premises or full-platform hosted deployment. Because Azure
makes it so simple to deploy applications, Jason emphasizes the importance of reviewing the deployment and securing deployment-related
artifacts such as management accounts, access to Service Management API and SSL certificates used by applications.

In this video, Jason Glassberg, Co-Founder, Casaba, discusses the three security practices of the
Microsoft SDL Release phase. Jason talks about the planning for post-release contingencies by creating a
well thought-out incident response plan, then stresses the importance of the application of a Final Security
Review, its outcomes and mitigation of any outstanding issues. Finally he discusses the archiving of all
pertinent information and data to allow for post-release servicing of the software.

In this video, Peter Oehlert, Senior Security Consultant, iSEC Partners, discusses the implementation security practices
of the “Implementation” phase of the Microsoft SDL. Peter uses the definition of what makes secure code as a point of
departure, explaining then the benefits of the ease and repeatability the Microsoft SDL process brings to creation of
such code. Peter then covers importance of proper usage of tools that are used during the Implementation Phase and dives
into discussion of IDEs, compilers, parsers, linkers and static analysis applications.Related resources:Whitepaper:
The Simplified Implementation of the Microsoft SDL Microsoft Security Development Lifecycle Security Talk Series Webcast
Check out Windows Azure Subscriptions.

In this video, Aviram Jenik, CEO, Beyond Security, talks about processes that help build secure systems, focusing on the Verification phase of the Microsoft Security Development Lifecycle. Aviram discusses the concept of “black box” testing, explains the importance of testing data entry endpoints with good, bad and fuzzed input, and points to the tools that can assist with these tasks. On a practical side, Aviram shows a detailed demo of “JPG fuzzing”, generating malformed images, and identifying vulnerabilities in image processing application.

In this video, Chris Weber, Managing Partner and Robert Mooney, Senior Software Development, Casaba, speak about
applying Microsoft SDL Requirements security practices to applications built on top of Windows Azure, focusing on the “Requirements”
phase. Chris and Robert stress the similarities of Windows Azure applications to regular web applications, explaining that
you won’t be operating in an entirely new environment, talk about decreased need to focus on infrastructure and platform
and increased focus on securing the application layer. The presenters explain the similarities and differences in planning
for security and privacy when deploying to Windows Azure, and explain how to map the existing and new risks to the cloud-based
environment.Related resources:Whitepaper: The Simplified Implementation of the Microsoft SDL http://go.microsoft.com/?linkid=9708425
Whitepaper: Security Best Practices for Developing Windows Azure Applications http://go.microsoft.com/?linkid=9751872 Microsoft
Security Development Lifecycle http://www.microsoft.com/security/sdl Security Talk Series webcasts www.microsoft.com/events/series/securitytalk
Check out Windows Azure Subscriptions bit.ly/AzurePromo

In this video, Aviram Jenik, CEO, Beyond Security, talks about applying Microsoft SDL to applications built on top of Windows Azure applications, focusing on the Verification phase of the Microsoft Security Development Lifecycle. Aviram explains how “black box” testing concept is increasingly relevant in the world of cloud-based applications, mentions classic user input attacks such as SQL injection and Cross Site Scripting (XSS), and enumerates different inputs that should be focused on with Windows Azure-based applications.

In this video, Chris Weber, Managing Partner and Robert Mooney, Senior Software Development, Casaba, speak about the security practices of the “Requirements” phase of the Microsoft SDL. Chris and Robert explain the benefits of following the Microsoft SDL to building more secure, reliable, and standard-compliant software.Related resources:Whitepaper: The Simplified Implementation of the Microsoft SDL http://go.microsoft.com/?linkid=9708425 Microsoft Security Development Lifecycle http://www.microsoft.com/security/sdl Security Talk Series webcasts www.microsoft.com/events/series/securitytalk

Watch this short video to learn more about Code Analysis for C++. The C/C++ Code Analysis tool is a static
analyzer that is provided with the installation of Visual Studio Team System or Visual Studio Team Suite, that provides information
to developers about possible vulnerabilities in their C/C++ source code. Common coding errors reported by the tool include
buffer overruns, un-initialized memory, null pointer dereferences, and memory and resource leaks.

In this video, Joe Basirico, Director of Security Services, Security Innovation, speaks about the “Design”
phase of the Microsoft SDL. Joe explains how designing secure systems sometimes requires thinking “backwards”
- instead of focusing on features of what the system should do, one should think of what the system should
NOT do. Taking this as a departing point, Joe dives into a discussion of foundational design principles
of building secure software, including least privilege, compartmentalization, input validation, auditing
and logging, cryptography and avoiding the “Not Invented Here” trap.

Watch this short video to learn more about the Banned.h header file. Banned.h header file is one of the many free resources
in the Microsoft SDL Toolset. The banned.h header file is a sanitizing resource, which supports the Microsoft SDL requirement
to remove banned functions from code. It lists all banned APIs and allows any developer to locate them in code.

Watch this short video to learn more about Code Analysis for C++. The C/C++ Code Analysis tool is a static
analyzer that is provided with the installation of Visual Studio Team System or Visual Studio Team Suite, that provides information
to developers about possible vulnerabilities in their C/C++ source code. Common coding errors reported by the tool include
buffer overruns, un-initialized memory, null pointer dereferences, and memory and resource leaks.

Watch this short video to learn more about the BinScope Binary Analyzer tool. BinScope is one of the many free tools available
as part of the Microsoft SDL Toolset. BinScope is a Microsoft verification tool that analyzes binaries on a project-wide
level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements
and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in
use, up-to-date build tools are in place, and the latest good ATL headers are being used. BinScope also reports on dangerous
constructs that are prohibited by SDL.

Watch this short video to learn more about the MSF-Agile+SDL Process Template. The MSF-Agile+SDL Template is one of many
templates and tools available to help you implement the Microsoft SDL. MSF-Agile+SDL Process Template is a Team Foundation
Server downloadable template that automatically incorporates the policy, process and tools associated with the SDL for Agile
development guidance into the familiar Microsoft Solutions Framework (MSF) for Agile software development (MSF-Agile) process
template that ships with Visual Studio Team System.

Watch this short video to learn more about the SDL Process Template. The SDL Process Template is one of many free templates
and tools available in the Microsoft SDL Toolset. The SDL Process teamplate is a downloadable template that leverages the
technology of Visual Studio Team System (VSTS) and Team Foundation Server (TFS) to automatically integrate the policy, process
and tools associated with the Security Development Lifecycle version into your software development environment.

Watch this short video to learn more about the SDL Threat Modeling tool. The SDL Threat Modeling Tool is one of many free tools made available as part of the SDL Toolset. The SDL Threat Modeling Tool is the first threat modeling tool which isn't designed for security experts. It makes threat modeling easier for all developers by providing guidance on creating and analyzing threat models.

Watch this short video to learn more about the SiteLock ATL (Active Library Template). SiteLock ATL is one of the many free templates and tools that are available as part of the Microsoft SDL Toolset. The SiteLock ATL template enables an ActiveX developer to restrict access so that a control is only deemed safe when used in a predetermined list of domains. This limits the ability of Web page authors to reuse the control for malicious purposes.

Watch this short video to learn more about the BinScope Binary Analyzer tool. BinScope is one of the many free tools available
as part of the Microsoft SDL Toolset. BinScope is a Microsoft verification tool that analyzes binaries on a project-wide
level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements
and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in
use, up-to-date build tools are in place, and the latest good ATL headers are being used. BinScope also reports on dangerous
constructs that are prohibited by SDL.

Watch this short video on CAT.NET. CAT.NET tool is one of the many free tools that are available as part of the Microsoft SDL Toolset. It's available in both 32-bit and 64-bit versions. CAT.NET is a command line tool that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies. CAT.NET also helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection, and XPath Injection.

Watch this short video on MiniFuzz File Fuzzer. MiniFuzz is one of the many free tools that are available as part of the Microsoft SDL Toolset. MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviors.

Watch this short video to learn more about SDL Regex Fuzzer. SDL Regex Fuzzer is one of the many free tools in the Microsoft SDL Toolset. Regex Fuzzer can help test regular expressions for these potential vulnerabilities. Regular expression patterns containing certain clauses that execute in exponential time (for example, grouping clauses containing repetition that are themselves repeated) can be exploited by attackers to cause a denial-of-service (DoS) condition.

Watch this short video on the Microsoft SDL Toolset overview. Doug Cavit, from the Microsoft SDL engineering team, explains why IT executives and managers should encourage their development teams to download the SDL Implementation guidance and SDL tools to see how they can implement a software security assurance process such as the Microsoft SDL. The Microsoft SDL toolset is meant to work together to help a company implement all the phases of the Microsoft SDL from requirements to software release. The Microsoft SDL toolset and process guidance are both FREE to download by our customers from the Microsoft SDL website. All the tools in the Microsoft SDL toolset are meant to work together, so that companies can write secure software easier.

This video helps to illustrate the core concepts of the Microsoft Security Development Lifecycle (SDL) and discusses the individual security activities that should be performed in order to claim compliance with the SDL process.

Bryan Sullivan, Senior Security Program Manager for Microsoft, illustrates how teams can ensure applications
developed with rapid release cycles are still developed in a secure manner. Many development organizations
use Agile software development methodologies to build their applications, yet Agile – just like every other
development methodology – does not inherently produce secure deliverables. Secure development practices need
to be “baked-in” throughout every iteration or sprint. The Security Development Lifecycle for Agile (SDL-Agile)
process defines a set of activities that development teams can follow to reduce security vulnerabilities.
SDL-Agile also specifies the conditions and frequencies with which these activities should be performed,
in order to optimize the security of the delivered product and to ensure that teams have the time and freedom
to innovate and create new features. You can find additional information on SDL-Agile here: http://msdn.microsoft.com/en-us/library/ee790621.aspx

This brief video gives a brief overview of the BinScope Binary Analyzer and then walks through how
to configure and use BinScope to analyze an application within Visual Studio. The walkthrough demonstrates
integration with TFS and the SDL Process Template, showing easy creation of work items from detected problems.
Download BinScope here and begin leveraging the verification capabilities of BinScope immediately.
Learn more about the Microsoft Security Development Lifecycle (SDL) and tools Microsoft has published
at the SDL Tool Repository site.

This brief video gives a brief overview of the MiniFuzz File Fuzzer and then walks through how to configure and use MiniFuzz to perform fuzz testing on an application. The walkthrough launches MiniFuzz as an add-on to Visual Studio and demonstrates integration with TFS, showing automatic creation of work items from detected crashes. Download MiniFuzz here to get started with this easy to use file fuzzing tool. Learn more about the Microsoft Security Development Lifecycle (SDL) and tools Microsoft has published at the SDL Tool Repository site.